package jdbc;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Scanner;

import util.DBUtil;

public class StudentLogin {
	// 有sql注入的漏洞
	public static void main(String[] args) {

		Connection con = DBUtil.getConnection();
		Statement st = null;
		ResultSet rs = null;
		Scanner sc = new Scanner(System.in);
		System.out.println("请输入学号：");
		int no = sc.nextInt();
		sc.nextLine();

		System.out.println("请输入密码:");
		String pass = sc.nextLine();
		// 一种方法:替换pass中的sql特殊字符,一般情况下，要替换 ' " \ % @
		// pass=pass.replaceAll("'", "\\'");

		String sql = "select * from student where stuno =" + no + " and pass='"
				+ pass + "'";
		System.out.println(sql);
		try {
			st = con.createStatement();
			rs = st.executeQuery(sql);
			if (rs.next()) {
				System.out.println("登录成功！用户信息是：" + rs.getString("sname") + ","
						+ rs.getString("telephone"));
			} else {
				System.out.println("学号或者密码错误！");
			}
		} catch (SQLException e) {
			// TODO 自动生成的 catch 块
			e.printStackTrace();
		} finally {
			DBUtil.closeAll(rs, st, con);
		}

	}

}
